Oki here we are, one Weekend some weeks ago:
NIC down, restart adapter could bring it back up.
Everything normal exept...
Hm...
Wait! Traffic!
Attachment:
status_rrd_graph_img2.png [ 44.63 KiB | Viewed 7222 times ]
A closer look on the traffic and Adresses brought strange facts:
1.) The recieved packet has 14 bytes. Content is "getstatus". No way to filter this with snort, every game client does it (when parsing masterlist).
2.) Depending on how full the server is, the size of the answer packet is bigger.
3.) All Floods come with around 1 Mbits, they generate 15-20 Mbits upstream.
2.) Its all BF2 Servers! Battlefield? I didnt find any clear Info about that, the attacked servers are quake3 v. 1.16 (not urban terror)
oki, what to do now?
Snort is not an option, the Packet content is ok. The Number of Packets isnt.
First, i started to collect those IPs manually from Pfsense-Ntop Packet HTML Output.
Lateron i found a REST Api, built a DB backend which records 60Sec averages (which have bigger then 500 Packets/sec incoming)
Overall P/sec Throughput is stored too.
Last thing is a schedule, it saves new IPs every ***** to Firewall (and a separate table)
Ah. Thats the list it collected the last 3 Days:
- 109.236.82.149
109.236.82.181
141.101.125.235
17.172.232.128
173.193.254.106
173.199.91.39
173.203.183.173
173.231.3.184
174.91.111.108
176.56.228.36
176.9.63.244
182.177.143.49
188.125.140.19
193.150.209.233
195.71.68.33
199.59.163.38
204.61.222.58
205.234.137.219
208.116.44.116
208.43.227.56
208.64.127.48
209.170.124.203
210.148.52.182
212.1.15.12
212.1.208.54
213.103.219.155
213.64.155.236
213.89.170.104
213.89.183.254
216.119.216.188
216.245.213.202
217.23.12.122
217.25.100.100
217.88.247.23
24.183.208.71
24.226.58.219
46.21.154.182
46.37.177.194
50.28.67.28
62.90.138.114
64.34.216.132
64.90.45.202
65.188.169.27
65.34.222.211
66.147.244.84
66.225.198.130
66.252.2.90
66.84.13.92
67.197.152.21
67.201.15.20
67.222.129.248
68.113.195.133
68.32.215.245
69.24.178.242
70.39.121.221
71.43.194.194
72.20.13.77
72.20.18.1
72.20.40.77
72.8.129.1
72.8.129.19
72.91.159.209
74.14.51.221
74.53.201.162
74.63.209.212
74.89.29.33
75.46.67.92
76.125.151.240
76.172.7.77
78.46.74.18
80.217.190.214
80.246.145.185
81.169.179.102
81.226.233.112
82.170.111.113
85.214.53.51
85.227.233.141
85.230.217.129
85.230.220.96
85.30.48.7
86.145.35.242
89.163.170.18
89.165.10.202
89.27.32.59
89.69.103.2
89.77.81.150
91.121.176.210
91.218.36.6
91.229.248.13
93.114.44.164
94.52.44.211
95.208.188.212
95.211.109.94
97.81.128.139
98.126.245.107
Now is peace.
